FreeIPA 4.11.0-beta

FreeIPA 4.11.0-beta#

The FreeIPA team would like to announce FreeIPA 4.11.0 beta release!

It can be downloaded from http://www.freeipa.org/page/Downloads. Builds for Fedora distributions will be available from the official repository soon.

FreeIPA 4.11 series introduce support for FIDO2-based passkeys.

Traditional authentication with a password is not considered secure enough by many companies or government agencies. Alternate and more secure solutions exist, among which the use of passkeys, where the private key is stored on an external device and the server only needs to know the public key.

For the purpose of this feature, passkey is a FIDO2 compatible device supported by the libfido2 library. For more details, refer to https://fidoalliance.org/fido2/

The goal of this feature is to use a passkey to authenticate a user against IPA. FIDO2-based passkeys support is jointly developed by SSSD and IPA:

  • IPA provides the interface to store the user’s public credentials

  • IPA provides the interface to configure passkey settings

  • SSSD performs the actual authentication

Support for passkeys expands FreeIPA passwordless experience. It is already possible to authenticate FreeIPA users with other hardware-based and passwordless authentication mechanisms such as

  • smartcards, using PKCS#11 tokens

  • two-factor authentication with HOTP or TOTP tokens

  • delegating authentication to an external OAuth2 identity provider (IdP) with OAuth2 device authorization flow

  • delegating authentication to an external RADIUS server

Initial implementation only supports physical FIDO2 devices and requires use of SSSD 2.9.1 or later version, with passkeys support enabled. At the time of FreeIPA 4.11.0 release this version is only available in developing versions of Fedora (39/Rawhide), Debian (testing/sid), Ubuntu (Mantic) and several other distributions.

Two major missing features in passwordless authentication integration in FreeIPA currently are:

  • ability to use only passwordless authentication to enroll hosts to IPA

  • ability to login with passwordless authentication methods to FreeIPA Web UI without using Kerberos

We also expect a nicer integration with graphical environments to happen in future releases.

More details on passkeys integration can be found in the FreeIPA design page.

At Flock to Fedora 2023 conference we have also presented “Passwordless Fedora” talk that shows our progress in this journey for the past decade:

Highlights in 4.11.0#

  • 9326: Add support for passkey authentication type in kdb driver

  • 9262: Add “passkey” authentication type

  • 9261: Add CLI and WebUI to register a passkey for a user

  • 9336: Allow custom real name in IPA-EPN

Bug fixes#

FreeIPA 4.11.0-beta is a stabilization release for the features delivered as a part of 4.11 version series.

There are more than 20 bug-fixes since FreeIPA 4.10.2 release. Details of the bug-fixes can be seen in the list of resolved tickets below.

Upgrading#

Upgrade instructions are available on Upgrade page.

Feedback#

Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/) or #freeipa channel on libera.chat.

Resolved tickets#

  • #9003 ipa-server-install not validating hostname != domain

  • #9261 Add CLI and WebUI to register a passkey for a user

  • #9262 Add “passkey” authentication type

  • #9263 Add support for passkey authentication type in kdb driver

  • #9317 Distinguish between different location meaning

  • #9330 (rhbz#2214933) Nightly test failure (testing_master_pki): TestBackupReinstallRestoreWithKRA::test_full_backup_reinstall_restore_with_vault

  • #9331 (rhbz#2164349) Better handling of the command line and web UI cert search and/or list features

  • #9336 Allow custom real name in IPA-EPN

  • #9378 (rhbz#2150217) [RFE] Descriptive error message in ipa user-add

  • #9381 (rhbz#2215336) Race condition in ipa-server-upgrade where pki-tomcat needs dirsrv while it’s stopped

  • #9385 (rhbz#2216549) Upgrade to 4.9.10-6.0.1 fails: attributes are managed by topology plugin

  • #9386 Update SELinux policy

  • #9389 Nightly test failure in test_webui_service

  • #9396 Renaming user or group with –setattr does not check supported formats

  • #9399 Nightly tests(rawhide): test_epn not compatible with dnf5

  • #9402 (rhbz#2216872) OTP authentication failure on s390x

  • #9404 Nightly test failure in test_integration/test_backup_and_restore.py::TestBackupAndRestoreWithReplica::test_full_backup_and_restore_with_replica

  • #9409 freeipa uses ssl.match_hostname() which was removed from Python 3.12

  • #9416 (rhbz#2224570) Better error description when managing a user with ‘–idp’

  • #9419 Nightly test failure in test_epn.py::TestEPN::test_EPN_config_file

  • #9403 (rhbz#2209636) libipa_otp_lasttoken plugin memory leak

  • #9421 ipa idp-add –provider silently ignores options like –scope

  • #9422 (rhbz#2214638, rhbz#2227831, rhbz#2227832) Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost

  • #8878 (rhbz#1821181, rhbz#2229712) Prevent deletion of ‘admin’ account with web UI

  • #9348 Nightly test failure (testing_master_pki): test_integration/test_acme.py::TestACMEPrune::test_prune_cert_manual

  • #9425 Python 3.12 issues: datetime.utcnow is deprecated

  • #9427 (rhbz#2216532) RHEL 8.8 & 9.2 fails to create AD trust with STIG applied

  • #9418 Typo in “Subordinate ID Selfservice User” role

  • #9395 Search for user by krbPrincipalExpiration not returning results

Detailed changelog since 4.10.2#

Armando Neto (1)#

  • ipatests: update rawhide template commit

Alexander Bokovoy (10)#

  • ipalib/x509.py: Add signature_algorithm_parameters commit

  • ipa-kdb: postpone ticket checksum configuration commit

  • ipa-kdb: protect against context corruption commit

  • doc/designs: update link to SSSD passkey design page commit

  • ipa-kdb: initial support for passkeys commit #9263

  • Change doc theme to ‘book’ commit

  • idp: when adding an IdP allow to override IdP options commit #9421

  • ipa-epn: don’t use too general exception commit #9425

  • python 3.12: utcnow function is deprecated commit #9425

  • support more DateTime attributes in LDAP searches in IPA API commit #9395

Andika Triwidada (1)#

  • Translated using Weblate (Indonesian) commit

Antonio Torres (3)#

  • Update contributors list commit

  • Update translations to FreeIPA master state commit

  • Bump to IPA 4.11 commit

Alexey Tikhonov (2)#

  • extdom: avoid sss_nss_getorigby*() calls when get*_r_wrapper() returns object from a wrong domain (performance optimization) commit

  • extdom: internal functions should be static commit

Chris Kelley (1)#

  • Check that CADogtagCertsConfigCheck can handle cert renewal commit

Jan Kuparinen (14)#

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

David Pascual (4)#

  • doc: Use case examples for PR-CI checker tool commit

  • ipatests: fix (prci_checker) duplicated check & error return code commit

  • ipatest: fix prci checker target masked return code & add pylint commit

  • ipatests: Checker script for prci definitions commit

Erik Belko (1)#

  • test: add tests for descriptive error message in ipa user-add commit #9378

Endi Sukma Dewata (6)#

  • Explicitly use legacy ID generators by default commit

  • Remove pki_restart_configured_instance commit

  • Remove default values for pki_ca_signing_*_path commit

  • Remove non-existent default pki_cert_chain_path commit

  • Add pki_share_dbuser_dn for CA commit

  • Remove unused subsystem.count commit

Filip Dvorak (1)#

  • ipa tests: Add LANG before kinit command to fix issue with locale settings commit

Florence Blanc-Renaud (56)#

  • xmlrpc tests: add a test for user plugin with non-existing idp commit #9416

  • User plugin: improve error related to non existing idp commit #9416

  • OTP: fix data type to avoid endianness issue commit #9402

  • ipatests: use dnf download to download pkgs commit #9399

  • tests: fix backup-restore scenario with replica commit #9404

  • Detection of PKI subsystem commit #9330

  • Uninstaller: uninstall PKI before shutting down services commit #9330

  • Integration tests: add a test to ipa-server-upgrade commit #9385

  • Upgrade: fix replica agreement commit #9385

  • Integration test: add a test for upgrade and PKI drop-in file commit #9381

  • Upgrade: add PKI drop-in file if missing commit #9381

  • xmlrpc tests: add test renaming user or group with setattr commit #9396

  • User and groups: rename with –setattr must check format commit #9396

  • webuitests: close notification which hides Add button commit #9389

  • Spec file: bump SSSD version for passkey support commit

  • Passkey: add a weak dependency on sssd-passkey commit

  • Webui tests: fix test failure commit

  • passkey: adjust selinux security context for passkey_child commit

  • passkeyconfig: require-user-verification is a boolean commit

  • Passkey: update the API doc commit

  • Passkey: extract the passkey from stdout commit

  • Passkey: add “passkey configuration” to webui commit #9261

  • WebUI: improve passkey display commit #9261

  • Passkey support: show the passkey in webui commit #9261

  • Passkey: add support for discoverable credentials commit

  • WebUI tests: add test for krbtpolicy passkey maxlife/maxrenew commit #9262

  • WebUI: add support for passkey auth type and auth indicator commit #9262

  • XMLRPC tests: add new tests for passkey auth type commit

  • CLI: add support for passkey authentication type commit #9262

  • XMLRPC tests: test new passkey commands commit #9261

  • API: add new commands for passkey mappings commit #9261

  • API: add new commands for ipa passkeyconfig-show | mod commit #9261

  • New schema for Passkey mappings commit #9261

  • Design for passkey support commit #9261

  • PRCI: update rawhide box commit

  • user or group name: explain the supported format commit

  • azure tests: move to fedora 38 commit

  • Tests: test on f37 and f38 commit

  • cert_find: fix call with –all commit #9331

  • Spec file: use %autosetup instead of %setup commit

  • Spec file: unify with RHEL9 spec commit

  • azure tests: move to fedora 37 commit

  • Spec file: bump krb5_kdb_version on rawhide commit

  • FIPS setup: fix typo filtering camellia encryption commit

  • cert utilities: MAC verification is incompatible with FIPS mode commit

  • PRCI: update memory reqs for each topology commit

  • ipatests: update vagrant boxes commit

  • Tests: test on f37 and f36 commit

  • gitignore: add install/oddjob/org.freeipa.server.config-enable-sid commit

  • ipatests: update expected cksum for epn.conf commit #9419

  • ipatests: update expected webui msg for admin deletion commit #8878

  • ipatests: fixture can produce IndexError commit #9348

  • ipatests: fix test_topology commit

  • Installer: activate nss and pam services in sssd.conf commit #9427

  • ipa-server-guard: make the lock timezone aware commit #9425

  • ipa-cert-fix: use timezone-aware datetime commit #9425

  • ipa-epn: include timezone info commit #9425

Fraser Tweedale (1)#

  • BUILD.txt: remove redundant dnf-builddep option commit

Iker Pedrosa (4)#

  • Passkey design: add second sssd design page commit

  • Passkey design: user verification clarification commit

  • Passkey design: fix user verification commit

  • ipatests: definitions for SSSD COPR nightly commit

Jarl Gullberg (1)#

  • ipaplatform/debian: fix path to ldap.so commit

Julien Rische (2)#

  • Filter out constrained delegation ACL from KDB entry commit

  • ipa-kdb: fix error handling of is_master_host() commit #9422

Lenz Grimmer (1)#

  • doc: Fix incorrect URL format commit

Jerry James (1)#

  • Change fontawesome-fonts requires to match fontawesome 4.x commit

Miro Hrončok (1)#

  • Use ssl.match_hostname from urllib3 as it was removed from Python 3.12 commit #9409

Mohammad Rizwan (4)#

  • ipatests: enable firewall rule for http service on acme client commit

  • ipatests: wait for sssd-kcm to settle after date change commit

  • ipatests: Test newly added certificate lable commit

  • ipatests: remove fixture call and wait to get things settle commit #9348

Weblate (5)#

  • Update translation files commit

  • Update translation files commit

  • Update translation files commit

  • Update translation files commit

  • Update translation files commit

Piotr Drąg (2)#

  • Translated using Weblate (Polish) commit

  • Translated using Weblate (Polish) commit

Rob Crittenden (10)#

  • Differentiate location meaning between host and server commit #9317

  • Use the python-cryptography parser directly in cert-find commit #9331

  • Revert “cert_find: fix call with –all” commit #9331

  • Revert “Use the OpenSSL certificate parser in cert-find” commit #9331

  • Don’t allow the FQDN to match the domain on server installs commit #9003

  • Use the OpenSSL certificate parser in cert-find commit #9331

  • Enforce sizelimit in cert-find commit #9331

  • Fix memory leak in the OTP last token plugin commit #9403

  • Prevent the admin user from being deleted commit #8878

  • Remove all references to deleted indirect map from parent map commit #9397

Ricky Tigg (3)#

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

  • Translated using Weblate (Finnish) commit

Rafael Guterres Jeffman (2)#

  • selinux: Update SELinux policy commit #9386

  • Fix typo in “Subordinate ID Selfservice User” role commit #9418

Sumit Bose (7)#

  • ipa-otpd: add passkey_child_debug_level option commit

  • ipa-otpd: add support for passkey authentication commit

  • ipa-otpd: make get_krad_attr_from_packet() public commit

  • ipa-otpd: make auth_type_is(), get_string() and get_string_array() public commit

  • ipa-otpd: make add_krad_attr_to_set() public commit

  • ipa-otpd: suppress “function declaration isn’t a prototype” warning commit

  • ipa-kdb: do not fail if certmap rule cannot be added commit

김인수 (4)#

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Translated using Weblate (Korean) commit

  • Added translation using Weblate (Korean) commit

Simon Nussbaum (1)#

  • component: mail_from_realname config setting added to IPA-EPN commit #9336

Scott Poore (1)#

  • ipatests: add prci definitions for test_sso jobs commit

Sudhir Menon (2)#

  • ipatests: ipa-adtrust-install command test scenarios commit

  • ipatests: idm api related tests. commit

Temuri Doghonadze (4)#

  • Translated using Weblate (Georgian) commit

  • Translated using Weblate (Georgian) commit

  • Translated using Weblate (Georgian) commit

  • Added translation using Weblate (Georgian) commit

Todd Zullinger (2)#

  • spec: silence krb5 pkgconf errors in %krb5_base_version commit

  • spec: verify upstream source signature commit

Thorsten Scherf (1)#

  • external-idp: change idp server name to reference name commit

Viacheslav Sychov (1)#

  • fix: Handle /proc/1/sched missing error commit

Yuri Chornoivan (6)#

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit

  • Translated using Weblate (Ukrainian) commit